EP1936532B1 - Verschleierung von Computerprogrammcodes - Google Patents
Verschleierung von Computerprogrammcodes Download PDFInfo
- Publication number
- EP1936532B1 EP1936532B1 EP06388071A EP06388071A EP1936532B1 EP 1936532 B1 EP1936532 B1 EP 1936532B1 EP 06388071 A EP06388071 A EP 06388071A EP 06388071 A EP06388071 A EP 06388071A EP 1936532 B1 EP1936532 B1 EP 1936532B1
- Authority
- EP
- European Patent Office
- Prior art keywords
- function
- computer program
- data processing
- processing system
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004590 computer program Methods 0.000 title claims abstract description 56
- 230000006870 function Effects 0.000 claims abstract description 231
- 238000000034 method Methods 0.000 claims abstract description 112
- 238000012545 processing Methods 0.000 claims abstract description 55
- 230000009466 transformation Effects 0.000 claims description 32
- 230000008859 change Effects 0.000 claims description 4
- 238000012805 post-processing Methods 0.000 claims description 4
- 230000001131 transforming effect Effects 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 description 38
- 230000008569 process Effects 0.000 description 24
- 230000003068 static effect Effects 0.000 description 18
- 230000008901 benefit Effects 0.000 description 9
- 230000007246 mechanism Effects 0.000 description 9
- 238000000844 transformation Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000013459 approach Methods 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 4
- 238000010276 construction Methods 0.000 description 4
- 238000007781 pre-processing Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000005206 flow analysis Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000010561 standard procedure Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000007667 floating Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Definitions
- the invention relates to tamper-protection of computer program code, e.g. source code or object code. More specifically, the invention relates to the tamper protection by obfuscating computer program code, in particular obfuscating the call graph of a computer program code.
- Software tampering is an attack which has the purpose of altering the way a piece of software operates in such a way that it brings illegitimate benefits to the attacker.
- the objectives of tampering could be to side-step copy protection or security mechanisms, to extract secret or copyrighted material, to introduce malicious code such as computer viruses, or the like.
- Static (or "offline”) code analysis When performing dynamic analysis, the software is observed as it is executing. In contrast, static analysis is usually limited to an examination/analysis of some representation of the program code, without actually executing it.
- the executable code or machine code of the computer program is the only representation available to an attacker, i.e. the attacker has typically not access to the source code. Consequently, a typical initial step of reverse engineering a computer program includes the creation of a higher-level representation of the executable code using static code analysis.
- function calls are an interesting target for a reverse-engineering attack, since a correct identification of the relation between call sites (i.e. the program points from which function calls are made) and the entry point of each function (i.e. the program points to which the calls are made) is useful for an attacker in order to the understand a computer program.
- This information is commonly represented in the form of a program's call graph, in which each function constitutes a node and each function call a directed edge from the caller function to the called function. Constructing the call graph is thus a frequently applied first step of a reverse-engineering attack.
- Hardware-based techniques perform the combined decryption and execution by specific hardware. Even though properly implemented hardware-based decryption techniques can offer good protection, this protection is achieved at the price of additional, specific hardware.
- obfuscation is the process of transforming a computer program into a semantically equivalent one which is harder to understand (by humans and/or analysis tools) and thus impedes static analysis.
- Some obfuscating transformations mainly target the control flow of the program, others mainly target data.
- Dynamic path based software watermarking by C. Colberg et al., Sigplan notices, vol. 39, June 2004, pages 107-118 , discloses a method of dynamic path-based watermarking.
- the method involves replacing a jump statement to a target address in executable files by a so-called branch function.
- the branch function determines from its original return address and a predetermined mapping the target address, and modifies its own return function to be the determined target address.
- So-called anti-disassembler transformations have the purpose of confusing disassemblers - i.e. tools that convert executable code (machine code) into a text representation (assembly language) - so as to complicate static analysis of a computer program.
- the above and other problems are solved by a computer-implemented method of tamper-protecting a computer program, as defined in claim 1.
- the method comprises
- the method described herein provides a transformation of a software component, where the transformed software component computes the target address / entry points of one or more function calls rather than providing the target address as a constant, thereby obstructing the subsequent detection of the relation between call sites and function entry points by a possible attacker, e.g. by means of standard techniques for call-graph construction.
- the call graph is a useful representation of a piece of software and greatly facilitates the understanding of a software component by humans and/or by subsequent automated analysis. Consequently, by making the analysis/construction of the call graph of a software component more difficult, techniques employed by standard tools for reverse engineering are efficiently blocked or impeded. Furthermore, yet-to-be-designed static analyses that are targeted towards breaking this particular protection are made difficult by embodiments of the method described herein, since they increase the complexity of these attacks for them to be successful.
- the function calls may be represented in different ways, generally depending on the input representation. For example, different programming languages may have different mechanisms for function calls, i.e. mechanisms for causing the execution of the computer program to continue at a predetermined entry point address when the execution reaches a certain call site.
- function calls include a function identifier or function name identifying the function to be called.
- the function call may further specify one or more parameters/variables to be passed to the function.
- a function causes the computer program to return to the calling site and continue execution of the computer program from the calling site onwards.
- the function may return a return value upon return to the calling site.
- function calls may be referred to as "procedure calls" or the like, e.g. in order to distinguish between functions providing a return value and functions that do not provide a return value.
- some programming languages may include other types of function calls which merely cause execution of the computer program to continue at a predetermined address. This type of function call is typically referred to as a goto-statement.
- function calls In the context of object-oriented programming references to methods may be regarded as function calls.
- function call is intended to include all such program statements that cause a data processing system to continue execution of the computer program at a predetermined entry point memory address, typically different from the address subsequent to the memory address of the calling site, and upon termination of the function to return to the calling site and continue execution of the computer program from the calling site onwards.
- the entry point address of the function referred to by an identified function call is encoded using a predetermined encoding function. Accordingly, an algebraic expression may represent a decoding function for computing the entry point memory address from a set of parameters. Consequently, rather than providing the entry point as part of the program, an encoding of it is used.
- the process inserts a corresponding decoding function which - during execution of the program - is evaluated in order to compute the entry point address.
- the address of a function's entry point is not determined until link time and, in particular, the address is not known at compile time. Accordingly, the method further comprises:
- generating the executable representation includes
- replacing further includes inserting one or more program statements into the input representation for assigning a respective preliminary value to each of the set parameters; and wherein modifying includes modifying one or more computer-executable instructions corresponding to the inserted one or more program statements to cause the data processing system to assign the determined parameter values to respective ones of the set of parameters.
- the generation of the preliminary executable program may be performed at least in part by standard tools, e.g. standard compilers and/or linkers.
- a pre-processing module may identify and replace function calls in the source code, determine an encoding function, and insert program code for the setting of encoding parameters to preliminary values.
- these steps may be performed as an integrated part of the compiler.
- a post-processing module may thus modify the resulting instructions for setting the encoding parameters in correspondence with the actual entry point addresses resulting from the linker stage.
- the method includes parsing the input representation so as to identify the function calls included in the input representation, and replacing each identified function call.
- the method further comprises identifying a plurality of function calls and replacing the function calls by respective modified function calls, wherein each modified function call corresponds to a different decoding function, different encodings are provided for different call sites, thereby making it more difficult for an attacker to identify the actual relations between call sites and function entry points.
- More ambitious techniques for call-graph constructions may make an effort to analyze calls via function pointers. Normally such techniques are employed to analyze source code, but an adaptation to a low-level representation may be made the basis of a possible attack.
- One approach may be to base the analysis on a "points-to analysis," the objective of which is to find the set of functions to which a pointer may refer. Even though exact points-to analysis may be impractical, an overestimation of the set of possible functions may be computed.
- a points-to analysis is generally based on the assumption that each function pointer is initialized using a function name (or constant in the case of a low-level representation) somewhere in the program, which is not the case in the transformed code.
- an attack may be directed towards the decoding function.
- the knowledge that the encoded address words are constant or that the initial values form a valid encoding would facilitate such an attack dramatically. In both cases local analysis using a technique called constant folding may be sufficient.
- the method further comprises:
- the encoding may be changed during execution of the program code such that the different encodings all encode the same entry point.
- the encoded values change during the execution of the program code the recovery of the entry points by an attacker based on a static analysis of the program code, e.g. by means of constant folding, is prevented.
- the one or more additional program statements include one or more parameter pointers to respective memory addresses for storing the set of parameter values
- the relation between the changes in the encoding parameters are further obfuscated and an attack by means of standard data-flow analysis is made more difficult.
- the method further comprises inserting one or more auxiliary program statements adapted to cause the data processing system to assign a set of temporary parameter values to the set of parameters; wherein the set of temporary parameter values results in a value of the decoding function different from the entry point memory address.
- the one or more auxiliary program statements are adapted to cause the data processing system to assign the set of temporary parameter values to the set of parameters as a set of initial values.
- the method comprises:
- polymorph function calls may be obfuscated by the same technique as normal (“monomorph”) function calls.
- the identification and replacement of function calls described herein will generally be particularly efficient when the input representation includes source code, i.e. is provided in the form of one or more source code modules.
- program statement as used herein is intended to include a unit of structuring a programming language, in particular a minimal unit of such structuring. Examples of kinds of statements include definitions, declarations, assignments, conditional statements, loops, and function/procedure calls.
- an algebraic expression in a programming language as used herein is intended to include a combination of values, variables, and functions, etc., wherein the combination is interpreted according to the particular rules of precedence and of association for a particular programming language, which combination is adapted to produce and return a result, i.e. a value.
- An algebraic expression may produce a numeric result, e.g. a result having a numeric data type, e.g. a floating point data type or an integer data type.
- an algebraic expression may also produce a result of another data type, or a result that may be cast into another data type.
- the transformed program code causes the data processing system to produce the same program output as the original program code, when said program code is executed by said data processing system.
- the transformation of the program code is semantic-preserving, i.e. has no influence on the program output created by the computer program.
- program output is intended to include any observable behaviour during execution of the program, e.g. any program behaviour that is observable/noticeable by a user, by another computer program, by another device, or the like.
- Examples of program output include the output of numeric values, text output, binary output, output signals, visual, e.g. graphical, output, audible output, etc. that may be output via any suitable output device such as a computer screen, printer, storage medium, communications interface, etc., via a data interface, or the like.
- processing means comprises any circuit and/or device suitably adapted to perform the above functions.
- processing means comprises general- or special-purpose programmable microprocessors, Digital Signal Processors (DSP), Application Specific Integrated Circuits (ASIC), Programmable Logic Arrays (PLA), Field Programmable Gate Arrays (FPGA), special purpose electronic circuits, etc., or a combination thereof.
- the program code means and/or the program code to be transformed may be loaded in a memory, such as a RAM (Random Access Memory), from a storage medium or from another computer via a computer network.
- a memory such as a RAM (Random Access Memory)
- RAM Random Access Memory
- the described features may be implemented by hardwired circuitry instead of software or in combination with software.
- the present invention relates to different aspects including the method described above and in the following, corresponding devices, and computer programs, each yielding one or more of the benefits and advantages described in connection with the above-mentioned methods, and each having one or more embodiments corresponding to the embodiments described in connection with the above-mentioned methods.
- a data processing system is suitably configured to perform the steps of the method described above and in the following.
- a computer program product comprises computer-executable instructions adapted to cause, when executed on a data processing system, the data processing system to perform the method described above and in the following.
- the computer program product is embodied as a computer-readable medium having stored thereon the computer-executable instructions.
- the computer-readable medium may be a compact disc (CD), an optical disc, a diskette, a magnetic storage medium, a memory stick, or the like, that has stored thereon the computer-executable instructions.
- the computer-readable medium may have stored thereon a software application for tamper-protecting program code.
- the computer program product is embodied as a data signal, e.g. a suitably modulated carrier signal.
- the computer-executable instructions may be provided for download from a server computer via a computer network.
- the computer program-product comprises a source-code transformer and a postprocessor.
- the source-code transformer is adapted to identify function calls of a computer program component to be protected, to select an encoding and to transform the function calls.
- the postprocessor is adapted to encode the function entry points (addresses) and to transform the executable image.
- the computer program product may be used in connection with conventional software development tools, e.g. including a conventional compiler and linker.
- the computer program product comprises a set of software generation tools, e.g. a compiler and a linker, comprising functionality adapted to cause the data processing system to perform the method described above and in the following, e.g. as one of a number of compilation passes performed by the compiler and as one or more linker steps performed by the linker.
- a set of software generation tools e.g. a compiler and a linker
- functionality adapted to cause the data processing system to perform the method described above and in the following e.g. as one of a number of compilation passes performed by the compiler and as one or more linker steps performed by the linker.
- storage means/device/medium and computer-readable medium are intended to comprise any suitable storage medium, device or circuit, e.g. a read-only-memory (ROM), a random access memory (RAM), a flash memory, an Erasable Programmable Read-Only Memory (EPROM), volatile or nonvolatile memory, an optical storage device, a magnetic storage device, a diskette, a CD, a hard disk, or the like.
- ROM read-only-memory
- RAM random access memory
- EPROM Erasable Programmable Read-Only Memory
- Fig. 1 shows a schematic block diagram of a process for tamper-protecting program code.
- Fig. 1 illustrates the work-flow at build time of a software component.
- the process receives a source code 101.
- the source code 101 is typically in the form in which a computer program has been written by a programmer, typically in a formal programming language such as C, C++, Java, or the like.
- the source code can be automatically compiled by a compiler into object code or machine code or executed by an interpreter.
- the source code 101 may be represented as one or more text documents or as any other suitable digital representation.
- the tamper-protection process may receive a different type of input representation in which function calls can be identified, e.g. object code.
- the source code 101 is fed into a parser module 103.
- the parser module parses the source code and identifies one or more function calls in the source code.
- the parser module may use any suitable technique for parsing a source code known in the art, for example a subset of the techniques used by conventional compilers when parsing source code as to identify the structural components of the corresponding programming language.
- the parser may select all or just a subset of identified function calls.
- the parser may include a user interface allowing a user to manually select function calls to be transformed. Alternatively or additionally, the parser may select or deselect certain types of function calls.
- the parser module forwards the identified function calls 104, or at least pointers to their respective locations in the source code, to an encoding module/block 118.
- the encoding module 118 encodes the identified function calls as described herein and provides the resulting encoding information 114 about the encoding function(s) used for the encoding of the identified function call(s) as an output.
- the encoding information is also forwarded to a code transformation module/block 105.
- the transformation module 105 transforms the identified function calls into an encoded function call adapted to compute the entry point address of the called function based on the selected/generated encoding from the encoding module 118.
- the transformation module 105 replaces the original function calls in the received source code by the encoded function calls, resulting in a transformed version 109 of the source code.
- the transformation module may insert further program statement, e.g. for initialising and/or changing encoding parameters as described herein.
- the transformed source code 109 is fed into a compiler 110, e.g. a conventional compiler, which compiles the transformed source code to generate corresponding object code 111.
- the object code 111 is subsequently processed by a linker 112 which links the object code and generates an executable code image 113.
- the symbolic addresses of the function entry points are link-time constants, which means that they are not determined when the source code is transformed. For this reason, the second step of the encoding is performed by a post-processor 115 after the linker has resolved symbols.
- the post-processor patches the executable code image 113 so that the encoded entry point address words corresponding to the identified function calls are inserted into the image.
- the post-processor module 115 receives the encoding information 114 from the transformation module 105 and the executable code 113 from the linker 112.
- the post-processor 115 module identifies the instructions in the executable code 113 that define the encoding functions, e.g. instructions that set the values of encoding parameters.
- the post-processor 115 further identifies, e.g. from a map file generated by the linker, the memory addresses of the entry points of the functions that are called from the encoded call sites.
- the post-processor 115 determines the correct values of the encoding parameters, and modifies the identified instructions so as to assign the correct values to the encoding parameters, thus resulting in a transformed - or "patched" - executable code image 116.
- the resulting transformed executable code may subsequently be further processed, e.g. compressed, encrypted, and/or the like.
- the parser 103, the encoding module 118, and transformation module 105 may be implemented as a combined pre-processor module 117 which will also be referred to as a source-code-transformer.
- the encoding process is implemented in the source-code transformer 117 and the post processor 115. It is performed when the software is built, whereas the decoding process is performed by the transformed code and thus takes place when the software 116 is executed.
- the postprocessor 115 receives the following input:
- the process of fig. 1 transforms the source code of the software component to be protected prior to compilation. Constants, which are used by the transformed code are also produced by the source-code transformer. The transformed source-code is compiled and linked, after which the resulting image is patched by the postprocessor, so that the transformed constants are inserted into the image.
- Fig. 2 shows a schematic block diagram of another example of a process for tamper-protecting program code.
- the process shown in fig. 2 is similar to the process in fig. 1 and will therefore not be described in detail again.
- the source-code transformation 205 which in the example of fig. 1 was performed by a module 105 of the pre-processor 117, is integrated into the compiler 210, thereby allowing support for programming languages that do not allow direct manipulation of function pointers. Consequently, the process of fig. 2 includes a preprocessing block 217 which receives the source code 101, parses the source code (block 103) to identify the function calls, and generates (block 118) the encoding of the identified function calls, e.g.
- the encoding information 114 is forwarded from the encoding block 118 to the modified compiler 210.
- the modified compiler 210 further receives the original source code 101 and performs both the transformation 205 and the compilation as an integrated process.
- the subsequent linking and post-processing steps may be performed as described in connection with fig. 1 .
- the process encodes the entry point address referred to by each call site by an encoding function.
- the encoded address is stored in the executable image.
- the source code of the software component is transformed in such a manner that all functions are called via references/pointers, whose values are computed based on encoded parameters stored in the executable program, thus decoding the parameters again.
- examples of encoding functions will be described in greater detail.
- Fig. 3 schematically illustrates an example of an encoding of an entry point address.
- Each address word denotes the entry point of a function and can be represented as an integer.
- W ⁇ 0, 1,...,2 B -1 ⁇ , where B is the word-length of a particular target architecture.
- an n-dimensional encoding function e n : W n ⁇ C n be an injective (one-to one) mapping from n-tuples of address words, W n to some encoded representation, C n .
- C n is an m -tuple of address words, for some m ⁇ n .
- other encoded representations may be used.
- d Sn an extension of d to some superset S n ⁇ R n of R n so that the extended decoding function d Sn is not injective (one-to-one).
- Fig. 3 illustrates the relation between the sets W n , R n , S n , and C n and the functions e n , d n and d Sn .
- the n -dimensional encoding function, e n transforms a collection of n address words ( W n ) into some encoded representation ( C n ).
- the range of e n is a subset of C n called R n
- the n-dimensional decoding function d n is a function from R n to W n
- d Sn is an extension of d n to a larger subset of C n called S n .
- the encoding function e 2 uses the exclusive OR to encode the two address words w 1 and w 2 .
- the operator ⁇ represents the exclusive OR
- (m 1 , m 2 ) ⁇ W 2 are arbitrarily chosen constants.
- the encoded address word is given by a collection of variables c 1 and c 2 .
- An extended decoding function d S2 may now be constructed.
- the parser module of the pre-processor module identifies the address words that are to be encoded, namely the symbolic addresses that denote entry points of functions. Furthermore, the encoding block of the pre-processor module selects an encoding function and a corresponding decoding function. For example, in the above example of the encoding functions e 2 , the encoding block may select random pairs of constants m 1 and m 2 .
- the address word used by each call site is encoded separately. Since several call sites may refer to the same function, this scheme may create multiple, distinct encodings for the same address word.
- Some programming languages such as the C programming language, may have several features that are useful for the purposes of the process described herein, namely support for function pointers, and the support for an interpretation of values of integer type as function pointers.
- the name of a function denotes a function pointer, which points to the entry point of the function in question.
- the normal usage is in the context of a function call, but the name of a function can also be used to create a value of function-pointer type. Consequently, an embodiment of the source-code transformer described herein may be adapted to operate on source code written in the C programming language.
- the transformation removing all direct references of function names in the executable code may thus be achieved by replacing each direct reference by code that computes the corresponding address word, w k , given an encoding, c , of all the address words.
- foo may be represented by w 1 and bar by w 2 .
- the encoding block may select the extended decoding function d s2 described above, and the source code transformer may then replace each reference to foo in the source code by c 1 ⁇ c 2 ⁇ 1 and each reference to bar by c 2 ⁇ c3 ⁇ 2.
- Table 1 illustrates examples of the transformation of direct references to function names in source code in the C programming language. In particular, table 1 shows an example involving the creation of a value of function-pointer type and an example involving a normal function call.
- Table 1 Examples of source-code transformations
- the functions foo and bar are referenced in the original source code: foo is used to initialise a function pointer p , whereas bar is used directly in a function call.
- the transformed direct call of bar uses the type definition funptr_t to increase readability.
- the type cast may be expressed directly, without a type definition: ((int(*)(int)).
- the transformed function calls may be further obfuscated, e.g. by writing the decoded address word to some memory location and later reading it via a pointer alias to the same location, thereby making it more difficult for an attacker to relate the decoding and the call.
- Further examples of obfuscating the transformation includes disguising the encoded calls as ordinary function calls via function pointers or dispatch tables, which are common constructs in e.g. C and C++ programs and many other programming languages. By disguising/obfuscating the transformed calls, they are not easily spottable by an attacker.
- Dispatch tables are a widely used technique, e.g. when implementing late binding in object-oriented programming.
- a dispatch table includes a list of pointers to the actual implementation of each method/function.
- Fig. 4 schematically illustrates a dispatch tables prior to conversion.
- the dispatch table 401 includes a list of pointers 402 to respective functions 403.
- Fig. 5 schematically illustrates an example of a conversion of dispatch tables.
- the transformed dispatch table 501 includes a list of pointers 502 to respective memory addresses 504 that are the starting locations of respective sequences of executable code adapted to compute the corresponding function entry point 503 and to forward the call by branching to the computed entry point 503.
- the memory location of the executable code for computing the function entry point will also be referred to as a "landing pad.”
- the source-code transformer transforms the dispatch tables and generates the "landing pads," i.e. the source-code-transformer generates and inserts the executable code of the landing pad in the source code.
- the computation of the entry point by the landing pad may be performed by a decoding function or an extended decoding function selected by the encoding block as described herein.
- the source-code transformer may either use the same "landing pad" or generate multiple ones. The latter approach makes it harder for an attacker to find the relation between super classes and subclasses in object-oriented languages.
- polymorphism can also be implemented by maintaining the encoded address words as part of the state of an object, i.e. its instance data.
- a pair of encoding and, optionally extended, decoding functions are chosen for each class.
- the decoding function of a subclass may extend that of its super class. In this way it is possible to avoid the "landing pads" and the references to the same from the transformed dispatch table.
- dispatch tables may be advantageous for classes that are part of the protected software component's interface, since further inheritance cannot be supported without revealing the encoding function.
- the pre-processor selects an extended decoding function and inserts code in the source code that causes the encoding to be altered as the code of the transformed component is executed, thus causing the encoded address words to be updated as part of the transformed code.
- the exact form of the update may depend on the actual extended decoding function.
- a further obfuscation of the encoding may be provided by updating the encoding via pointers to the actual data, thus making an attack by standard data-flow analysis more difficult.
- the program statement for updating c' may access it via one or several aliases (i.e. different pointers) that point to c' .
- aliases i.e. different pointers
- the update of the encoding may be protected, e.g. by maintaining the encoded representation as part of the state that is unique to each thread, e.g. on the run-time stack.
- the encoding when updating the encoding, the encoding may be allowed to be temporarily left in an inconsistent state.
- the pre-processing block may identify the functions that form the interface of the software component to be transformed, thus ensuring that the component is only entered via one of these interface functions.
- the pre-processor can thus ensure that the inserted code for updating the encoding parameters establish a valid encoding only when entering one of the interface functions for the first time.
- Fig. 6 shows a schematic block diagram of a system for tamper-protecting program code.
- the system comprises a data processing system 600, e.g. a computer such as a PC.
- the data processing system includes a processing unit 621, e.g. a microprocessor such as a CPU of a computer.
- the processing unit 621 is connected to a storage device 620, such as a hard disk, a memory card interface, an optical disk device, or the like.
- the processing unit 621 is suitably programmed to execute one or more automated software tools 622, such as a source-to-source transformer and a postprocessor as described herein.
- the automated software tool 622 may be adapted to cause the processing unit 621 to load the input representation, e.g.
- the source code, of the program code from the storage device 620, and the pre-processing steps of the method described herein may be performed automatically by said processing unit.
- the processing unit 621 may then store the transformed source code on the storage device 620.
- the processing unit may make the transformed source code available to other programs executed on the data processing systems, e.g. a compiler, and/or output the result via another suitable interface.
- the automated software tool may process, e.g. compile, the transformed source code directly.
- the automated software tool 622, or a separate software tool may be adapted to cause the processing unit 621 to load the compiled and linked executable image from the storage device 620, and the post-processing steps of the method described herein may be performed automatically by said processing unit.
- a function g is called twice and a function h is called once.
- the source-code transformer identifies the three call sites, the corresponding entry points of which are to be encoded.
- the encoding block then selects an encoding.
- the transformation block transforms the source code.
- the typecast (funptr_g) converts the integer-valued expression to a function pointer.
- int y int * ⁇ int ⁇ c ⁇ 0 ⁇ ⁇ 0 ⁇ 1234 ⁇ x ;
- the process further provides the encoded entry points, i.e. includes the transformed constants in the code. It may be observed that the source code itself may be adapted to encode the constants, for instance by the following program statements:
- the post-processor may perform the encoding and patch the linked executable code as described herein.
- the post-processor modifies the executable image by patching the initializer of the array c so as to substitute the constant 0x80000334 for 1111, and the constant 0x5638 for 2222.
- the process may generate multiple, distinct encodings of the same entry point.
- different encodings may for instance be used in the two calls to g .
- the encoded values are constant, a static analysis may suffice to recover the entry points, e.g. by constant folding. This may be prevented by altering the encoding over time, i.e. during execution of the transformed program. In particular, it may be beneficial when the initial values of c do not form a valid encoding, from which the entry points can be recovered using the formulas that can be found in the object code of the transformed program.
- c ⁇ 0 0 ⁇ 91111225
- c ⁇ 1 0 ⁇ 5638
- c ⁇ 2 0 ⁇ 83455629
- c ⁇ 3 0 ⁇ 11111111
- the source-code transformer ensures that the correct value of m is set by the running program before it utilizes the formulas that depend on m . To this end, the source-code transformer inserts one or more program statements into the source code that initializes c3 .
- n which for instance may be any "useful" value that is computed by the original program.
- the obfuscated calls are very unusual in that their targets are computed, thereby causing the obfuscated code to stand out in a larger body of unprotected code. Disguising the calls as (virtual) method calls, which are common in e.g. C++, makes the obfuscated code blend better with other code.
- a C++ method call has generally the following form (illustrated by lowering the C++ to C code):
- a dispatch table contains entries for all virtual methods of a class (including inherited ones). Each entry, like method1, is a function pointer. The dispatch table is accessed via the instance pointer ("this").
- the transformed source code of the present example thus becomes
- portable radio communications equipment includes all equipment such as mobile telephones, pagers, communicators, i.e. electronic organisers, smart phones, personal digital assistants (PDAs), handheld computers, or the like.
- the method described herein may be combined with other tamper-protection techniques, e.g. other code obfuscation techniques, such as code encryption and/or other techniques e.g. as described in Colberg et al. (ibid.) such as approaches for obfuscation of the local control flow within a function.
- the method described herein complements such transformations by offering a mechanism that obfuscates function calls.
- the method described herein may be combined with obfuscation methods that prevent the dynamic analysis of the program code, so as to further increase the protection against undesired tampering attempts based on an analysis and/or reverse engineering of the software component to be protected.
- a possible dynamic attack may include the recording of entry points of functions when a call site is executed.
- the down-side of such a dynamic analysis is that it underestimates the call graph.
- An attacker does not know when all possible execution paths through the code have been exercised.
- an attacker is faced with the problem of providing stimuli that will trigger functionality that he or she might not be aware of.
- a call site is polymorph, i.e. refers to one out of several functions depending on the program state, it is insufficient to execute the call only once. Again, it is non-trivial to come up with stimuli that exercise every possible call.
- the method described in here provides particularly good protection for software components that make heavy use of polymorphism, e.g. when the code of the transformed calls looks the same as the polymorph calls, as described herein.
- the method, product means, and device described herein can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed microprocessor.
- several of these means can be embodied by one and the same item of hardware, e.g. a suitably programmed microprocessor, one or more digital signal processor, or the like.
- a suitably programmed microprocessor one or more digital signal processor, or the like.
Claims (17)
- Computer-implementiertes Verfahren zum Absichern eines Computerprogramms vor Manipulationen, wobei das Verfahren umfasst:- Verarbeiten (103) einer Eingabedarstellung (101) des Computerprogramms, um einen Funktionsaufruf zu identifizieren, wobei der Funktionsaufruf dazu ausgebildet ist, zu bewirken, dass ein Datenverarbeitungssystem mit der Ausführung des Computerprogramms an einer vorbestimmten Eingangspunkt-Speicheradresse einer Funktion fortfährt, wenn die Ausführung eine aufrufenden Stelle erreicht hat, und dass es bei Beendigung der Funktion zu der aufrufenden Stelle zurückkehrt und die Ausführung des Computerprogramms ab der aufrufenden Stelle weiter fortsetzt, wenn das Computerprogramm von einem Datenverarbeitungssystem ausgeführt wird;- Ersetzen (105) des identifizierten Funktionsaufrufs durch einen modifizierten Funktionsaufruf, wobei der modifizierte Funktionsaufruf einen algebraischen Ausdruck enthält, wobei dieser dazu ausgebildet ist, zu bewirken, dass das Datenverarbeitungssystem die Eingangspunkt-Speicheradresse berechnet, wenn das Computerprogramm von dem Datenverarbeitungssystem ausgeführt wird, wobei der algebraische Ausdruck eine Decodierfunktion zum Berechnen der Eingangspunkt-Speicheradresse aus einem Parametersatz darstellt;- Bestimmen (115) eines entsprechenden Parameterwertes eines jeden Parameters des Parametersatzes aus einer der Decodierfunktion entsprechenden Codierfunktion;- Erzeugen (110, 112, 115) einer ausführbaren Darstellung (116) des Computerprogramms aus der Eingabedarstellung, wobei die ausführbare Darstellung einen oder mehrere computer-ausführbare Befehle zum Bewirken, dass das Datenverarbeitungssystem die bestimmten Parameterwerte entsprechenden Parametern des Parametersatzes zuweist, enthält.
- Verfahren nach Anspruch 1, wobei das Erzeugen der ausführbaren Darstellung Folgendes umfasst:- Transformieren (110, 120) der Eingabedarstellung in eine vorläufige ausführbare Darstellung (113);- Abändern (115) der vorläufigen ausführbaren Darstellung, sodass diese einen oder mehrere computer-ausführbare Befehle zum Bewirken, dass das Datenverarbeitungssystem die bestimmten Parameterwerte entsprechenden Parametern des Parametersatzes zuweist, enthält.
- Verfahren nach Anspruch 2, wobei das Ersetzen des identifizierten Funktionsaufrufs durch einen modifizierten Funktionsaufruf ferner ein Einfügen in die Eingabedarstellung von einer oder mehreren Programmanweisungen zum Zuweisen eines entsprechenden vorläufigen Werts einem jeden der Parameter umfasst; und wobei das Abändern ein Abändern von einem oder mehreren computer-ausführbaren Befehlen gemäß den eingefügten einen oder mehreren Programmanweisungen umfasst, um zu bewirken, dass das Datenverarbeitungssystem die bestimmten Parameterwerte entsprechenden Parametern des Parametersatzes zuweist.
- Verfahren nach einem der Ansprüche 1 bis 3, ferner umfassend:Identifizierung einer Vielzahl von Funktionsaufrufen und Ersetzen der Funktionsaufrufe durch entsprechende modifizierte Funktionsaufrufe, wobei ein jeweiliger modifizierter Funktionsaufruf einer verschiedenen Decodierfunktion entspricht.
- Verfahren nach einem der Ansprüche 1 bis 4, ferner umfassend:- Bereitstellen einer erweiterten Codierfunktion, die eine viele-auf-eine Relation zwischen einer Speicheradresse und dem Parametersatz darstellt, wobei eine Mehrzahl von Parameterwertsätzen des Parametersatzes die Speicheradresse codieren;- Einfügen von einem oder mehreren zusätzlichen Programmanweisungen, die dazu ausgebildet sind, zu bewirken, dass das Datenverarbeitungssystem einen aktuellen Parameterwertsatz des Parametersatzes von einem ersten der Vielzahl der Parameterwertsätze in einen zweiten der Vielzahl der Parameterwertsätze ändert, wenn der Programmcode von dem Datenverarbeitungssystem ausgeführt wird.
- Verfahren nach Anspruch 5, wobei die eine oder die mehreren zusätzlichen Programmanweisungen einen oder mehrere Parameterzeiger auf entsprechende Speicheradressen zum Speichern des Satzes von Parameterwerten enthalten.
- Ein Verfahren nach einem der Ansprüche 1 bis 6, ferner umfassend:Einfügen von einer oder mehreren hilfsweisen Programmanweisungen, die dazu ausgebildet sind, zu bewirken, dass das Datenverarbeitungssystem einen Satz von vorübergehenden Parameterwerten dem Parametersatz zuweist; wobei der Satz vorübergehender Parameterwerte zu einem Wert der Decodierfunktion führt, der von der Eingangspunkt-Speicheradresse verschieden ist.
- Verfahren nach Anspruch 7, wobei die eine oder mehreren hilfsweisen Programmanweisungen dazu ausgebildet sind, zu bewirken, dass das Datenverarbeitungssystem den Satz vorübergehender Parameterwerte dem Parametersatz als einen Satz von anfänglichen Werten zuweist.
- Verfahren nach einem der Ansprüche 1 bis 8, ferner umfassend: Parsen der Eingabedarstellung, um den Funktionsaufruf zu identifizieren.
- Verfahren nach einem der Ansprüche 1 bis 9, wobei die Eingabedarstellung des Computerprogramms mindestens ein Eingabequellcodemodul umfasst.
- Verfahren nach einem der Ansprüche 1 bis 10, umfassend:- Identifizieren einer Ausführungstabelle (401), die einen oder mehrere Verweise (402) auf entsprechende Eingangspunktadressen (403) enthält;- Einfügen von einer oder mehreren entsprechenden ausführbaren Anweisungen (504) in die Eingabedarstellung zum Berechnen der Eingangspunktadressen;- Ersetzen der einen oder mehreren Verweise durch Zeiger (502) auf entsprechende Anweisungen der eingefügten ausführbaren Anweisungen.
- Verfahren nach einem der Ansprüche 1 bis 11, umfassend Verschleiern der Funktionsaufrufe mittels eines Funktionszeigers und/oder einer Ausführungstabelle.
- Verfahren nach einem der Ansprüche 1 bis 12, wobei der identifizierte Funktionsaufruf einen Verweis auf einen Funktionsnamen enthält, und wobei das Ersetzen des identifizierten Funktionsaufrufs das Ersetzen des Verweises durch ausführbaren Code zum Berechnen des entsprechenden Eingangspunktadressworts umfasst.
- Datenverarbeitungssystem, das dazu ausgebildet ist, die Schritte des Verfahrens nach einem der Ansprüche 1 bis 13 auszuführen.
- Computerprogrammprodukt mit computer-ausführbaren Programmcodemitteln (622), die dazu ausgebildet sind, zu bewirken, dass ein Datenverarbeitungssystem (600) das Verfahren nach einem der Ansprüche 1 bis 14 ausführt, wenn die Programmcodemittel durch das Datenverarbeitungssystem ausgeführt werden.
- Computerprogrammprodukt nach Anspruch 15, mit einem computer-lesbaren Medium, das darauf gespeichert die Programmcodemittel aufweist.
- Computerprogrammprodukt nach Anspruch 15 oder 16, wobei das Computerprogrammprodukt ferner umfasst:- ein Transformationsmodul zum Identifizieren eines Funktionsaufrufs in einer Eingabedarstellung eines Eingabecomputerprogramms und zum Ersetzen des identifizieren Funktionsaufrufs mit einem abgeänderten Funktionsaufruf, der eine Decodierfunktion enthält; und- ein Nachverarbeitungsmodul zum Abändern einer ausführbaren Darstellung des Eingabecomputerprogramms, so dass es einen oder mehrere computer-ausführbare Befehle enthält, die eine der Decodierfunktion entsprechende Codierfunktion darstellen.
Priority Applications (8)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AT06388071T ATE438151T1 (de) | 2006-12-21 | 2006-12-21 | Verschleierung von computerprogrammcodes |
EP06388071A EP1936532B1 (de) | 2006-12-21 | 2006-12-21 | Verschleierung von Computerprogrammcodes |
DE602006008166T DE602006008166D1 (de) | 2006-12-21 | 2006-12-21 | Verschleierung von Computerprogrammcodes |
EP09166489A EP2107489A3 (de) | 2006-12-21 | 2006-12-21 | Verschleierung von Computerprogrammcodes |
CN200780047128.1A CN101568927B (zh) | 2006-12-21 | 2007-12-19 | 混淆计算机程序代码 |
PCT/EP2007/011156 WO2008074483A1 (en) | 2006-12-21 | 2007-12-19 | Obfuscating computer program code |
US12/515,621 US8286251B2 (en) | 2006-12-21 | 2007-12-19 | Obfuscating computer program code |
TW096149583A TW200841209A (en) | 2006-12-21 | 2007-12-21 | Obfuscating computer program code |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP06388071A EP1936532B1 (de) | 2006-12-21 | 2006-12-21 | Verschleierung von Computerprogrammcodes |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP09166489A Division EP2107489A3 (de) | 2006-12-21 | 2006-12-21 | Verschleierung von Computerprogrammcodes |
Publications (2)
Publication Number | Publication Date |
---|---|
EP1936532A1 EP1936532A1 (de) | 2008-06-25 |
EP1936532B1 true EP1936532B1 (de) | 2009-07-29 |
Family
ID=38093500
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP06388071A Active EP1936532B1 (de) | 2006-12-21 | 2006-12-21 | Verschleierung von Computerprogrammcodes |
EP09166489A Withdrawn EP2107489A3 (de) | 2006-12-21 | 2006-12-21 | Verschleierung von Computerprogrammcodes |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP09166489A Withdrawn EP2107489A3 (de) | 2006-12-21 | 2006-12-21 | Verschleierung von Computerprogrammcodes |
Country Status (7)
Country | Link |
---|---|
US (1) | US8286251B2 (de) |
EP (2) | EP1936532B1 (de) |
CN (1) | CN101568927B (de) |
AT (1) | ATE438151T1 (de) |
DE (1) | DE602006008166D1 (de) |
TW (1) | TW200841209A (de) |
WO (1) | WO2008074483A1 (de) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8751823B2 (en) | 2011-08-01 | 2014-06-10 | Apple Inc. | System and method for branch function based obfuscation |
Families Citing this family (194)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8881282B1 (en) | 2004-04-01 | 2014-11-04 | Fireeye, Inc. | Systems and methods for malware attack detection and identification |
US8528086B1 (en) | 2004-04-01 | 2013-09-03 | Fireeye, Inc. | System and method of detecting computer worms |
US8566946B1 (en) | 2006-04-20 | 2013-10-22 | Fireeye, Inc. | Malware containment on connection |
US8793787B2 (en) | 2004-04-01 | 2014-07-29 | Fireeye, Inc. | Detecting malicious network content using virtual environment components |
US7587537B1 (en) | 2007-11-30 | 2009-09-08 | Altera Corporation | Serializer-deserializer circuits formed from input-output circuit registers |
US9106694B2 (en) | 2004-04-01 | 2015-08-11 | Fireeye, Inc. | Electronic message analysis for malware detection |
US9027135B1 (en) | 2004-04-01 | 2015-05-05 | Fireeye, Inc. | Prospective client identification using malware attack detection |
US8171553B2 (en) | 2004-04-01 | 2012-05-01 | Fireeye, Inc. | Heuristic based capture with replay to virtual machine |
US8584239B2 (en) | 2004-04-01 | 2013-11-12 | Fireeye, Inc. | Virtual machine with dynamic data flow analysis |
US8898788B1 (en) | 2004-04-01 | 2014-11-25 | Fireeye, Inc. | Systems and methods for malware attack prevention |
EP1947584B1 (de) | 2006-12-21 | 2009-05-27 | Telefonaktiebolaget LM Ericsson (publ) | Verschleierung von Computerprogrammcodes |
US8621606B1 (en) * | 2007-12-31 | 2013-12-31 | Symantec Corporation | Systems and methods for identifying external functions called by untrusted applications |
US8800048B2 (en) * | 2008-05-20 | 2014-08-05 | Microsoft Corporation | Software protection through interdependent parameter cloud constrained software execution |
US8185749B2 (en) | 2008-09-02 | 2012-05-22 | Apple Inc. | System and method for revising boolean and arithmetic operations |
US8429637B2 (en) * | 2008-09-02 | 2013-04-23 | Apple Inc. | System and method for conditional expansion obfuscation |
US8997219B2 (en) | 2008-11-03 | 2015-03-31 | Fireeye, Inc. | Systems and methods for detecting malicious PDF network content |
US8850571B2 (en) | 2008-11-03 | 2014-09-30 | Fireeye, Inc. | Systems and methods for detecting malicious network content |
US20100153912A1 (en) * | 2008-12-15 | 2010-06-17 | Apple Inc. | Variable type knowledge based call specialization |
US8943482B2 (en) | 2009-05-15 | 2015-01-27 | International Business Machines Corporation | Incrementally constructing executable code for component-based applications |
US8544089B2 (en) * | 2009-08-17 | 2013-09-24 | Fatskunk, Inc. | Auditing a device |
US8302210B2 (en) | 2009-08-24 | 2012-10-30 | Apple Inc. | System and method for call path enforcement |
US8832829B2 (en) | 2009-09-30 | 2014-09-09 | Fireeye, Inc. | Network-based binary file extraction and analysis for malware detection |
EP2486482B1 (de) * | 2009-10-08 | 2018-02-28 | Irdeto B.V. | System und verfahren für aggressive selbstmodifikation in dynamischen funktionsrufsystemen |
US20110167407A1 (en) * | 2010-01-06 | 2011-07-07 | Apple Inc. | System and method for software data reference obfuscation |
WO2011116448A1 (en) * | 2010-03-25 | 2011-09-29 | Irdeto Canada Corporation | System and method for dynamic, variably-timed operation paths as a resistance to side channel and repeated invocation attacks |
US8667301B2 (en) * | 2010-04-01 | 2014-03-04 | Apple Inc. | Obfuscating transformations on data array content and addresses |
KR101256149B1 (ko) * | 2010-07-12 | 2013-04-19 | 홍익대학교 산학협력단 | 프로그램 카운터 인코딩을 이용한 간접 함수 호출 보호 방법 및 보호 장치 |
US20120079462A1 (en) * | 2010-09-24 | 2012-03-29 | SoftKrypt LLC | Systems and methods of source software code obfuscation |
EP2831791B1 (de) * | 2012-03-30 | 2020-10-21 | Irdeto B.V. | Sicherung von zugangssystemen durch vernetzung |
US9256419B2 (en) * | 2012-04-23 | 2016-02-09 | Hewlett Packard Enterprise Development Lp | Dynamic software updates |
JP5939074B2 (ja) * | 2012-07-31 | 2016-06-22 | 富士通株式会社 | コード処理方法、情報処理装置およびプログラム |
US10572665B2 (en) | 2012-12-28 | 2020-02-25 | Fireeye, Inc. | System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events |
US9824209B1 (en) | 2013-02-23 | 2017-11-21 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications that is usable to harden in the field code |
US9009822B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for multi-phase analysis of mobile applications |
US9367681B1 (en) | 2013-02-23 | 2016-06-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application |
US9195829B1 (en) | 2013-02-23 | 2015-11-24 | Fireeye, Inc. | User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications |
US9159035B1 (en) | 2013-02-23 | 2015-10-13 | Fireeye, Inc. | Framework for computer application analysis of sensitive information tracking |
US9009823B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications installed on mobile devices |
US9176843B1 (en) | 2013-02-23 | 2015-11-03 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US8990944B1 (en) | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
US9355247B1 (en) | 2013-03-13 | 2016-05-31 | Fireeye, Inc. | File extraction from memory dump for malicious content analysis |
US9565202B1 (en) | 2013-03-13 | 2017-02-07 | Fireeye, Inc. | System and method for detecting exfiltration content |
US9104867B1 (en) | 2013-03-13 | 2015-08-11 | Fireeye, Inc. | Malicious content analysis using simulated user interaction without user involvement |
US9626509B1 (en) | 2013-03-13 | 2017-04-18 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US9430646B1 (en) | 2013-03-14 | 2016-08-30 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
US9311479B1 (en) | 2013-03-14 | 2016-04-12 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of a malware attack |
US10713358B2 (en) | 2013-03-15 | 2020-07-14 | Fireeye, Inc. | System and method to extract and utilize disassembly features to classify software intent |
US9413781B2 (en) | 2013-03-15 | 2016-08-09 | Fireeye, Inc. | System and method employing structured intelligence to verify and contain threats at endpoints |
US9251343B1 (en) | 2013-03-15 | 2016-02-02 | Fireeye, Inc. | Detecting bootkits resident on compromised computers |
US9495180B2 (en) | 2013-05-10 | 2016-11-15 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US9635039B1 (en) | 2013-05-13 | 2017-04-25 | Fireeye, Inc. | Classifying sets of malicious indicators for detecting command and control communications associated with malware |
US9721120B2 (en) | 2013-05-14 | 2017-08-01 | Apple Inc. | Preventing unauthorized calls to a protected function |
US9536091B2 (en) | 2013-06-24 | 2017-01-03 | Fireeye, Inc. | System and method for detecting time-bomb malware |
US10133863B2 (en) | 2013-06-24 | 2018-11-20 | Fireeye, Inc. | Zero-day discovery system |
US9888016B1 (en) | 2013-06-28 | 2018-02-06 | Fireeye, Inc. | System and method for detecting phishing using password prediction |
US9300686B2 (en) | 2013-06-28 | 2016-03-29 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
US9104869B2 (en) * | 2013-07-31 | 2015-08-11 | Ebay Inc. | Systems and methods for defeating malware with polymorphic software |
US9171160B2 (en) | 2013-09-30 | 2015-10-27 | Fireeye, Inc. | Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses |
US10192052B1 (en) | 2013-09-30 | 2019-01-29 | Fireeye, Inc. | System, apparatus and method for classifying a file as malicious using static scanning |
US9736179B2 (en) | 2013-09-30 | 2017-08-15 | Fireeye, Inc. | System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection |
US9628507B2 (en) | 2013-09-30 | 2017-04-18 | Fireeye, Inc. | Advanced persistent threat (APT) detection center |
US9690936B1 (en) | 2013-09-30 | 2017-06-27 | Fireeye, Inc. | Multistage system and method for analyzing obfuscated content for malware |
US10515214B1 (en) | 2013-09-30 | 2019-12-24 | Fireeye, Inc. | System and method for classifying malware within content created during analysis of a specimen |
US9294501B2 (en) | 2013-09-30 | 2016-03-22 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US9921978B1 (en) | 2013-11-08 | 2018-03-20 | Fireeye, Inc. | System and method for enhanced security of storage devices |
US9189627B1 (en) | 2013-11-21 | 2015-11-17 | Fireeye, Inc. | System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection |
CN104751026B (zh) * | 2013-12-25 | 2018-11-02 | 中国移动通信集团公司 | 安卓系统的软件保护方法、软件应用方法及相关装置 |
US9756074B2 (en) | 2013-12-26 | 2017-09-05 | Fireeye, Inc. | System and method for IPS and VM-based detection of suspicious objects |
US9747446B1 (en) | 2013-12-26 | 2017-08-29 | Fireeye, Inc. | System and method for run-time object classification |
US9507935B2 (en) | 2014-01-16 | 2016-11-29 | Fireeye, Inc. | Exploit detection system with threat-aware microvisor |
US9262635B2 (en) | 2014-02-05 | 2016-02-16 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US9241010B1 (en) | 2014-03-20 | 2016-01-19 | Fireeye, Inc. | System and method for network behavior detection |
US10242185B1 (en) | 2014-03-21 | 2019-03-26 | Fireeye, Inc. | Dynamic guest image creation and rollback |
US9591015B1 (en) | 2014-03-28 | 2017-03-07 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US9223972B1 (en) | 2014-03-31 | 2015-12-29 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
US9432389B1 (en) | 2014-03-31 | 2016-08-30 | Fireeye, Inc. | System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object |
US10599820B2 (en) * | 2014-04-23 | 2020-03-24 | Nxp B.V. | Control flow flattening for code obfuscation where the next block calculation needs run-time information |
US9973531B1 (en) | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
US9438623B1 (en) | 2014-06-06 | 2016-09-06 | Fireeye, Inc. | Computer exploit detection using heap spray pattern matching |
US9594912B1 (en) | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
US9767004B2 (en) * | 2014-06-16 | 2017-09-19 | Symantec Corporation | Dynamic call tracking method based on CPU interrupt instructions to improve disassembly quality of indirect calls |
US10084813B2 (en) | 2014-06-24 | 2018-09-25 | Fireeye, Inc. | Intrusion prevention and remedy system |
US9398028B1 (en) | 2014-06-26 | 2016-07-19 | Fireeye, Inc. | System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers |
US10805340B1 (en) | 2014-06-26 | 2020-10-13 | Fireeye, Inc. | Infection vector and malware tracking with an interactive user display |
US10002252B2 (en) | 2014-07-01 | 2018-06-19 | Fireeye, Inc. | Verification of trusted threat-aware microvisor |
US9363280B1 (en) | 2014-08-22 | 2016-06-07 | Fireeye, Inc. | System and method of detecting delivery of malware using cross-customer data |
US10671726B1 (en) | 2014-09-22 | 2020-06-02 | Fireeye Inc. | System and method for malware analysis using thread-level event monitoring |
US10027689B1 (en) | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
US9773112B1 (en) | 2014-09-29 | 2017-09-26 | Fireeye, Inc. | Exploit detection of malware and malware families |
US9690933B1 (en) | 2014-12-22 | 2017-06-27 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
EP3238113B1 (de) * | 2014-12-22 | 2018-09-26 | Koninklijke Philips N.V. | Verschleierung einer programmausführung |
US10075455B2 (en) | 2014-12-26 | 2018-09-11 | Fireeye, Inc. | Zero-day rotating guest image profile |
US9934376B1 (en) | 2014-12-29 | 2018-04-03 | Fireeye, Inc. | Malware detection appliance architecture |
US9838417B1 (en) | 2014-12-30 | 2017-12-05 | Fireeye, Inc. | Intelligent context aware user interaction for malware detection |
US9690606B1 (en) | 2015-03-25 | 2017-06-27 | Fireeye, Inc. | Selective system call monitoring |
US10148693B2 (en) | 2015-03-25 | 2018-12-04 | Fireeye, Inc. | Exploit detection system |
US9438613B1 (en) | 2015-03-30 | 2016-09-06 | Fireeye, Inc. | Dynamic content activation for automated analysis of embedded objects |
US9483644B1 (en) | 2015-03-31 | 2016-11-01 | Fireeye, Inc. | Methods for detecting file altering malware in VM based analysis |
US10474813B1 (en) | 2015-03-31 | 2019-11-12 | Fireeye, Inc. | Code injection technique for remediation at an endpoint of a network |
US10417031B2 (en) | 2015-03-31 | 2019-09-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US9654485B1 (en) | 2015-04-13 | 2017-05-16 | Fireeye, Inc. | Analytics-based security monitoring system and method |
US9594904B1 (en) | 2015-04-23 | 2017-03-14 | Fireeye, Inc. | Detecting malware based on reflection |
US10726127B1 (en) | 2015-06-30 | 2020-07-28 | Fireeye, Inc. | System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer |
US10642753B1 (en) | 2015-06-30 | 2020-05-05 | Fireeye, Inc. | System and method for protecting a software component running in virtual machine using a virtualization layer |
US10454950B1 (en) | 2015-06-30 | 2019-10-22 | Fireeye, Inc. | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks |
US11113086B1 (en) | 2015-06-30 | 2021-09-07 | Fireeye, Inc. | Virtual system and method for securing external network connectivity |
US10715542B1 (en) | 2015-08-14 | 2020-07-14 | Fireeye, Inc. | Mobile application risk analysis |
US10176321B2 (en) | 2015-09-22 | 2019-01-08 | Fireeye, Inc. | Leveraging behavior-based rules for malware family classification |
US10033747B1 (en) | 2015-09-29 | 2018-07-24 | Fireeye, Inc. | System and method for detecting interpreter-based exploit attacks |
US9825989B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
US10210329B1 (en) | 2015-09-30 | 2019-02-19 | Fireeye, Inc. | Method to detect application execution hijacking using memory protection |
US10601865B1 (en) | 2015-09-30 | 2020-03-24 | Fireeye, Inc. | Detection of credential spearphishing attacks using email analysis |
US10706149B1 (en) | 2015-09-30 | 2020-07-07 | Fireeye, Inc. | Detecting delayed activation malware using a primary controller and plural time controllers |
US9825976B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Detection and classification of exploit kits |
US10817606B1 (en) | 2015-09-30 | 2020-10-27 | Fireeye, Inc. | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic |
US10284575B2 (en) | 2015-11-10 | 2019-05-07 | Fireeye, Inc. | Launcher for setting analysis environment variations for malware detection |
US10846117B1 (en) | 2015-12-10 | 2020-11-24 | Fireeye, Inc. | Technique for establishing secure communication between host and guest processes of a virtualization architecture |
US10447728B1 (en) | 2015-12-10 | 2019-10-15 | Fireeye, Inc. | Technique for protecting guest processes using a layered virtualization architecture |
US10108446B1 (en) | 2015-12-11 | 2018-10-23 | Fireeye, Inc. | Late load technique for deploying a virtualization layer underneath a running operating system |
US20170187690A1 (en) * | 2015-12-24 | 2017-06-29 | Mcafee, Inc. | Mitigating bot scans of sensitive communications |
US10621338B1 (en) | 2015-12-30 | 2020-04-14 | Fireeye, Inc. | Method to detect forgery and exploits using last branch recording registers |
US10133866B1 (en) | 2015-12-30 | 2018-11-20 | Fireeye, Inc. | System and method for triggering analysis of an object for malware in response to modification of that object |
US10565378B1 (en) | 2015-12-30 | 2020-02-18 | Fireeye, Inc. | Exploit of privilege detection framework |
US10050998B1 (en) | 2015-12-30 | 2018-08-14 | Fireeye, Inc. | Malicious message analysis system |
US11552986B1 (en) | 2015-12-31 | 2023-01-10 | Fireeye Security Holdings Us Llc | Cyber-security framework for application of virtual features |
US9824216B1 (en) | 2015-12-31 | 2017-11-21 | Fireeye, Inc. | Susceptible environment detection system |
US10581874B1 (en) | 2015-12-31 | 2020-03-03 | Fireeye, Inc. | Malware detection system with contextual analysis |
US10650046B2 (en) | 2016-02-05 | 2020-05-12 | Sas Institute Inc. | Many task computing with distributed file system |
US10642896B2 (en) | 2016-02-05 | 2020-05-05 | Sas Institute Inc. | Handling of data sets during execution of task routines of multiple languages |
US10795935B2 (en) | 2016-02-05 | 2020-10-06 | Sas Institute Inc. | Automated generation of job flow definitions |
CN107203707B (zh) * | 2016-03-16 | 2020-05-12 | 阿里巴巴集团控股有限公司 | 一种实现程序代码混淆的方法和系统 |
US10242078B2 (en) | 2016-03-23 | 2019-03-26 | International Business Machines Corporation | Data dump formatting utilizing dynamically created control structures |
US10476906B1 (en) | 2016-03-25 | 2019-11-12 | Fireeye, Inc. | System and method for managing formation and modification of a cluster within a malware detection system |
US10601863B1 (en) | 2016-03-25 | 2020-03-24 | Fireeye, Inc. | System and method for managing sensor enrollment |
US10785255B1 (en) | 2016-03-25 | 2020-09-22 | Fireeye, Inc. | Cluster configuration within a scalable malware detection system |
US10671721B1 (en) | 2016-03-25 | 2020-06-02 | Fireeye, Inc. | Timeout management services |
US10893059B1 (en) | 2016-03-31 | 2021-01-12 | Fireeye, Inc. | Verification and enhancement using detection systems located at the network periphery and endpoint devices |
US10169585B1 (en) | 2016-06-22 | 2019-01-01 | Fireeye, Inc. | System and methods for advanced malware detection through placement of transition events |
US10462173B1 (en) | 2016-06-30 | 2019-10-29 | Fireeye, Inc. | Malware detection verification and enhancement by coordinating endpoint and malware detection systems |
CN108304187A (zh) * | 2016-08-24 | 2018-07-20 | 北京花甲科技有限公司 | 一种静态库的生成方法以及设备 |
US10354069B2 (en) * | 2016-09-02 | 2019-07-16 | Bae Systems Information And Electronic Systems Integration Inc. | Automated reverse engineering |
US10592678B1 (en) | 2016-09-09 | 2020-03-17 | Fireeye, Inc. | Secure communications between peers using a verified virtual trusted platform module |
US10394554B1 (en) * | 2016-09-09 | 2019-08-27 | Stripe, Inc. | Source code extraction via monitoring processing of obfuscated byte code |
US10491627B1 (en) | 2016-09-29 | 2019-11-26 | Fireeye, Inc. | Advanced malware detection using similarity analysis |
US10795991B1 (en) | 2016-11-08 | 2020-10-06 | Fireeye, Inc. | Enterprise search |
US10587647B1 (en) | 2016-11-22 | 2020-03-10 | Fireeye, Inc. | Technique for malware detection capability comparison of network security devices |
US10311217B2 (en) * | 2016-12-09 | 2019-06-04 | Microsoft Technology Licensing, Llc | Application piracy prevention with secure enclave protection of automatically modularized functions |
US10552610B1 (en) | 2016-12-22 | 2020-02-04 | Fireeye, Inc. | Adaptive virtual machine snapshot update framework for malware behavioral analysis |
US10581879B1 (en) | 2016-12-22 | 2020-03-03 | Fireeye, Inc. | Enhanced malware detection for generated objects |
US10523609B1 (en) | 2016-12-27 | 2019-12-31 | Fireeye, Inc. | Multi-vector malware detection and analysis |
USD898059S1 (en) | 2017-02-06 | 2020-10-06 | Sas Institute Inc. | Display screen or portion thereof with graphical user interface |
US10904286B1 (en) | 2017-03-24 | 2021-01-26 | Fireeye, Inc. | Detection of phishing attacks using similarity analysis |
US10902119B1 (en) | 2017-03-30 | 2021-01-26 | Fireeye, Inc. | Data extraction system for malware analysis |
US10798112B2 (en) | 2017-03-30 | 2020-10-06 | Fireeye, Inc. | Attribute-controlled malware detection |
US10848397B1 (en) | 2017-03-30 | 2020-11-24 | Fireeye, Inc. | System and method for enforcing compliance with subscription requirements for cyber-attack detection service |
US10791138B1 (en) | 2017-03-30 | 2020-09-29 | Fireeye, Inc. | Subscription-based malware detection |
USD898060S1 (en) | 2017-06-05 | 2020-10-06 | Sas Institute Inc. | Display screen or portion thereof with graphical user interface |
WO2018236691A1 (en) * | 2017-06-20 | 2018-12-27 | Vfunction, Inc. | SYSTEMS AND METHODS FOR PERFORMING SOFTWARE APPLICATIONS ON DISTRIBUTED APPLICATION DEVELOPMENT ENVIRONMENTS |
US10601848B1 (en) | 2017-06-29 | 2020-03-24 | Fireeye, Inc. | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators |
US10855700B1 (en) | 2017-06-29 | 2020-12-01 | Fireeye, Inc. | Post-intrusion detection of cyber-attacks during lateral movement within networks |
US10503904B1 (en) | 2017-06-29 | 2019-12-10 | Fireeye, Inc. | Ransomware detection and mitigation |
US10893068B1 (en) | 2017-06-30 | 2021-01-12 | Fireeye, Inc. | Ransomware file modification prevention technique |
US10747872B1 (en) | 2017-09-27 | 2020-08-18 | Fireeye, Inc. | System and method for preventing malware evasion |
US10805346B2 (en) | 2017-10-01 | 2020-10-13 | Fireeye, Inc. | Phishing attack detection |
US11108809B2 (en) | 2017-10-27 | 2021-08-31 | Fireeye, Inc. | System and method for analyzing binary code for malware classification using artificial neural network techniques |
US10503498B2 (en) | 2017-11-16 | 2019-12-10 | Sas Institute Inc. | Scalable cloud-based time series analysis |
US11240275B1 (en) | 2017-12-28 | 2022-02-01 | Fireeye Security Holdings Us Llc | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture |
US11271955B2 (en) | 2017-12-28 | 2022-03-08 | Fireeye Security Holdings Us Llc | Platform and method for retroactive reclassification employing a cybersecurity-based global data store |
US11005860B1 (en) | 2017-12-28 | 2021-05-11 | Fireeye, Inc. | Method and system for efficient cybersecurity analysis of endpoint events |
EP3534253A1 (de) * | 2018-02-28 | 2019-09-04 | Koninklijke Philips N.V. | Kompilierungsvorrichtung und -verfahren |
US10826931B1 (en) | 2018-03-29 | 2020-11-03 | Fireeye, Inc. | System and method for predicting and mitigating cybersecurity system misconfigurations |
US10956477B1 (en) | 2018-03-30 | 2021-03-23 | Fireeye, Inc. | System and method for detecting malicious scripts through natural language processing modeling |
US11003773B1 (en) | 2018-03-30 | 2021-05-11 | Fireeye, Inc. | System and method for automatically generating malware detection rule recommendations |
US11558401B1 (en) | 2018-03-30 | 2023-01-17 | Fireeye Security Holdings Us Llc | Multi-vector malware detection data sharing system for improved detection |
US11075930B1 (en) | 2018-06-27 | 2021-07-27 | Fireeye, Inc. | System and method for detecting repetitive cybersecurity attacks constituting an email campaign |
US11314859B1 (en) | 2018-06-27 | 2022-04-26 | FireEye Security Holdings, Inc. | Cyber-security system and method for detecting escalation of privileges within an access token |
US11228491B1 (en) | 2018-06-28 | 2022-01-18 | Fireeye Security Holdings Us Llc | System and method for distributed cluster configuration monitoring and management |
US11316900B1 (en) | 2018-06-29 | 2022-04-26 | FireEye Security Holdings Inc. | System and method for automatically prioritizing rules for cyber-threat detection and mitigation |
US10762179B2 (en) * | 2018-08-08 | 2020-09-01 | Irdeto B.V. | System and method for watermarking software |
US11182473B1 (en) | 2018-09-13 | 2021-11-23 | Fireeye Security Holdings Us Llc | System and method for mitigating cyberattacks against processor operability by a guest process |
US11763004B1 (en) | 2018-09-27 | 2023-09-19 | Fireeye Security Holdings Us Llc | System and method for bootkit detection |
US10776460B2 (en) | 2018-10-15 | 2020-09-15 | KameleonSec Ltd. | Proactive security system based on code polymorphism |
US11368475B1 (en) | 2018-12-21 | 2022-06-21 | Fireeye Security Holdings Us Llc | System and method for scanning remote services to locate stored objects with malware |
US11764940B2 (en) | 2019-01-10 | 2023-09-19 | Duality Technologies, Inc. | Secure search of secret data in a semi-trusted environment using homomorphic encryption |
CN110389753B (zh) * | 2019-06-06 | 2024-01-23 | 五八有限公司 | 原生应用的链式调用方法、装置、电子设备及存储介质 |
US11258806B1 (en) | 2019-06-24 | 2022-02-22 | Mandiant, Inc. | System and method for automatically associating cybersecurity intelligence to cyberthreat actors |
US11556640B1 (en) | 2019-06-27 | 2023-01-17 | Mandiant, Inc. | Systems and methods for automated cybersecurity analysis of extracted binary string sets |
US11392700B1 (en) | 2019-06-28 | 2022-07-19 | Fireeye Security Holdings Us Llc | System and method for supporting cross-platform data verification |
US11301223B2 (en) | 2019-08-19 | 2022-04-12 | International Business Machines Corporation | Artificial intelligence enabled function logic infusion |
US11886585B1 (en) | 2019-09-27 | 2024-01-30 | Musarubra Us Llc | System and method for identifying and mitigating cyberattacks through malicious position-independent code execution |
US11637862B1 (en) | 2019-09-30 | 2023-04-25 | Mandiant, Inc. | System and method for surfacing cyber-security threats with a self-learning recommendation engine |
CN111475168B (zh) * | 2020-04-14 | 2023-05-05 | 中国人民解放军战略支援部队信息工程大学 | 一种代码编译方法及装置 |
US11366648B2 (en) * | 2020-05-28 | 2022-06-21 | Red Hat, Inc. | Compiling monoglot function compositions into a single entity |
US11714615B2 (en) | 2020-09-18 | 2023-08-01 | International Business Machines Corporation | Application migration using cost-aware code dependency graph |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CA2293650C (en) | 1997-06-09 | 2012-09-25 | Christian Sven Collberg | Obfuscation techniques for enhancing software security |
CN1173269C (zh) * | 2001-02-01 | 2004-10-27 | 英业达股份有限公司 | 用于卸载的监控方法 |
US6694435B2 (en) * | 2001-07-25 | 2004-02-17 | Apple Computer, Inc. | Method of obfuscating computer instruction streams |
US7383443B2 (en) * | 2002-06-27 | 2008-06-03 | Microsoft Corporation | System and method for obfuscating code using instruction replacement scheme |
CN100465853C (zh) * | 2004-11-15 | 2009-03-04 | 南京大学 | 基于程序内部行为监控的软件安全保障的方法 |
US7684930B2 (en) * | 2006-08-24 | 2010-03-23 | The Invention Science Fund I, Llc | System for obfuscating identity |
EP1947584B1 (de) | 2006-12-21 | 2009-05-27 | Telefonaktiebolaget LM Ericsson (publ) | Verschleierung von Computerprogrammcodes |
-
2006
- 2006-12-21 AT AT06388071T patent/ATE438151T1/de not_active IP Right Cessation
- 2006-12-21 EP EP06388071A patent/EP1936532B1/de active Active
- 2006-12-21 EP EP09166489A patent/EP2107489A3/de not_active Withdrawn
- 2006-12-21 DE DE602006008166T patent/DE602006008166D1/de not_active Expired - Fee Related
-
2007
- 2007-12-19 US US12/515,621 patent/US8286251B2/en active Active
- 2007-12-19 CN CN200780047128.1A patent/CN101568927B/zh active Active
- 2007-12-19 WO PCT/EP2007/011156 patent/WO2008074483A1/en active Application Filing
- 2007-12-21 TW TW096149583A patent/TW200841209A/zh unknown
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8751823B2 (en) | 2011-08-01 | 2014-06-10 | Apple Inc. | System and method for branch function based obfuscation |
Also Published As
Publication number | Publication date |
---|---|
CN101568927A (zh) | 2009-10-28 |
EP2107489A3 (de) | 2009-11-04 |
EP1936532A1 (de) | 2008-06-25 |
EP2107489A2 (de) | 2009-10-07 |
CN101568927B (zh) | 2012-02-08 |
WO2008074483A1 (en) | 2008-06-26 |
TW200841209A (en) | 2008-10-16 |
ATE438151T1 (de) | 2009-08-15 |
DE602006008166D1 (de) | 2009-09-10 |
US20100251378A1 (en) | 2010-09-30 |
US8286251B2 (en) | 2012-10-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1936532B1 (de) | Verschleierung von Computerprogrammcodes | |
EP1947584B1 (de) | Verschleierung von Computerprogrammcodes | |
Roundy et al. | Binary-code obfuscations in prevalent packer tools | |
US7254586B2 (en) | Secure and opaque type library providing secure data protection of variables | |
Madou et al. | Software protection through dynamic code mutation | |
US20170024230A1 (en) | Method, apparatus, and computer-readable medium for ofuscating execution of an application on a virtual machine | |
JP7154365B2 (ja) | ソフトウェアコードをセキュアにするための方法 | |
Popa | Techniques of program code obfuscation for secure software | |
Cimato et al. | Overcoming the obfuscation of Java programs by identifier renaming | |
Schrittwieser et al. | Covert computation: Hiding code in code for obfuscation purposes | |
Suk et al. | SCORE: source code optimization & reconstruction | |
EP3574425B1 (de) | Verfahren zur sicherung eines softwarecodes | |
Saıdi et al. | Experiences in malware binary deobfuscation | |
Wang et al. | Fpvalidator: validating type equivalence of function pointers on the fly | |
CN117473467A (zh) | 一种基于动态方法的.Net平台代码保护及运行方法 | |
Moreira et al. | Go With the FLOW: Fine-Grained Control-Flow Integrity for the Kernel | |
You et al. | Protection against format string attacks by binary rewriting | |
Solutions | DashO User's Guide | |
Singh et al. | Reverse Engineering | |
Singh | Fundamental of reverse engineering | |
Moreira et al. | Control-Flow Integrity for the Kernel | |
Maebe | Bart Coppens, Computer Systems Lab, Ghent University Bjorn De Sutter, Computer Systems Lab, Ghent University | |
Liang | Software code protection through software obfuscation | |
Chen et al. | Two control computation transformation methods for obfuscating Java soft software | |
Kohli | AUTOMATIC DETECTION OF MEMORY CORRUPTION ATTACKS |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20080107 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL BA HR MK RS |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
AKX | Designation fees paid |
Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: FG4D |
|
REF | Corresponds to: |
Ref document number: 602006008166 Country of ref document: DE Date of ref document: 20090910 Kind code of ref document: P |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20090729 Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20091129 Ref country code: AT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20090729 Ref country code: FI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20090729 Ref country code: SE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20090729 Ref country code: ES Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20091109 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20090729 Ref country code: LV Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20090729 Ref country code: PL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20090729 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: PT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20091129 Ref country code: BG Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20091029 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: RO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20090729 Ref country code: DK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20090729 Ref country code: EE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20090729 Ref country code: CZ Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20090729 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: BE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20090729 Ref country code: SK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20090729 |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
26N | No opposition filed |
Effective date: 20100503 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MC Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20100701 |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: ST Effective date: 20100831 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20091221 Ref country code: FR Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20091231 Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20091030 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: DE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20100701 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20090729 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LU Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20091221 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: HU Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20100130 |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: PL |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: TR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20090729 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CY Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20090729 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CH Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20101231 Ref country code: LI Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20101231 |
|
P01 | Opt-out of the competence of the unified patent court (upc) registered |
Effective date: 20230523 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: GB Payment date: 20231227 Year of fee payment: 18 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: NL Payment date: 20231226 Year of fee payment: 18 |